A while ago, I wrote an article describing how you might block or allow certain users from using OWA depending on their location. For example, is it possible to only allow certain users access if they are on the LAN, but not from the Internet? There is currently no built-in way of doing this, but it’s possible if you are prepared to make a small change to one of the .aspx pages. My original method (being a bit crude) relied on the administrator maintaining a list of users in the source code for the logon page itself. Someone sent me a reply, asking if it might be done based on Active Directory group membership. This is, of course, a much better way of doing it. So here goes. It assumes you have a group named something like AllowExternalOWA.

First, locate the startpage.aspx file in C:\Program Files\Microsoft\Exchange Server\v14\ClientAccess\Owa\forms\premium . Make a backup copy, then open it in Notepad. About 5 lines down, you will see a line like this:

There are a few things to note in this code. In the third line, a check is made on the IP address of the client. In this example, the server is checking to see if the IP address begins with “192.168.” (i.e. it is within the private IP addressing range 192.168.x.x . If your addressing scheme is different (e.g. you use something beginning with 10.), you will need to change this line. The second number passed to the .Substring function must match the number of digits you are checking.

The second thing to note is the group membership check:

if(!oPrincipal.IsInRole("AllowExternalOWA"))

This is a (suggested) group name of permitted users. To make it check for blocked users (note the change in [suggested] group name), change that line to

if(oPrincipal.IsInRole("BlockExternalOWA"))

This takes care of the Premium client. To do the same thing for the Basic client (and to prevent users from circumventing your restrictions), add the same code to the basicmessageview.aspx file in the basic folder. Add the code just before the <html> tag near the beginning of the file.

As with most of these type of modifications, you will need to check that they still function after each product update. Sometimes your modified file will be replaced by a new one from the update.

This works as expected when adding a user to (“BlockExternalOW”) – the user is exclued when attempting to logon. However, after removing the user from the excluded group the user is still excluded until IIS has bee restarted. Is there a way to programatically update roles from the AD before checking is the user is in the excluded group and not have to restart IIS after a change?

I’m having trouble implementing this.
We’ve created an AD group called “RemoteEmailUsers” and added a test user.
When connected to OWA from an IP address outside of our network, this user that’s supposed to have access is blocked. The account logs in normally inside the network.
Any advice?
Thanks!

Thanks for that. Tried it and it reports false, though I know I am in the role.
This is what I suspected. Am unsure how to proceed as I’m not terribly familiar with ASP. How could I list all of the roles for the user attempting to log in? I’d like to see if it’s pulling any of that info properly.
Thanks again!

Thank you! That helped me to see the groups to which the user belonged and to fix the problem!

When I originally created the group, I called it “Remote Email Users”, then changed it to “RemoteEmailUsers”. The ‘pre windows 2000′ name didn’t change when I renamed it. I removed those spaces and was able to get in.

I’m testing it right now but think that it’ll be just fine.

Thanks for your help and support, I appreciate it!! This script is fantastic.

After using this for a while it’s really going to work!
Is there any way to add an OR to the list of accepted IP’s? I’ve tried a couple of times but am not sure I’m going it right.
In other words, I’d like to have something like:
if(strIP.Substring(0, 8) != “192.168.” OR “10.10.1.”)
but when I do this, it throws up an error.
Thanks again for this sweet script!

This is C#, so you will need to use the || operator. Also, the way you have written it, while it may have actually compiled (had you used ||), is not as specific as it needs to be. Try this:
if((strIP.Substring(0, 8) != "192.168.") || (strIP.Substring(0, 8) != "10.10.1."))

This has an added (but small) benefit, in that you are also not restricted to comparing 8 digits, so you could also use:
if((strIP.Substring(0, 8) != "192.168.") || (strIP.Substring(0, 6) != "10.10."))

Is there a way to only block by security group and not by IP? I have two OWA instances, I want one for internal and one for external so I want to explicitly filter a certain group from accessing the external site.

I came across a problem with some users that I haven’t been able to fix yet. They were getting the disallowed prompt even though they were internal, and their IP addresses started with the range I specified. On the disallowed screen, it was not showing the users IP address, but the proxy server. Both the user and the proxy server IP’s were in the specified range of 10.25.x.x, but the user couldn’t get through.

If I logged into OWA (I’m in the OutlookWebAccess AD group), it let me in.

I am trying to use this code for all the users when they will login from the particular segment. When the user tries to log from the segment which has IP as 10.12.25 then uploading the attachments should be blocked. This is am achiving by adding your code in attachfiledialog.aspx file.

We have 2 CAS servers and 2 mailbox servers when am trying to login from 10.12.25.65 and 10.12.25.66 this setting is working but when i am trying the same from mailbox server i.e. IP 10.12.25.63 or 10.12.25.64 this setting is not working.

Try adding some code to reveal the client IP address – you may find that it is using an IPv6 address. Add this as the second line of extra code
Response.Write(“IP address = ” + strIP);
and look for it in the page source from the IE View menu.

question: the original code does well for allowing specific users to login from other ipaddress. but blocks all internal owa users. what if you want owa to work for every user internal to organization, but only a few select users from outside. (internet)?

admin,
maybe I am confused. (ok I am)…what I am trying to do is allow internal use of owa to all staff, but restrict external use of owa to a few managers.
Not sure if you can help me, but I surely appreciate any and all comments and for you taking the time to answer my request.
-harold

That is what the article should do for you. All internal use is allowed, but only restricted external use. If that is not what you get, then we need to investigate a little. You say that your internal users are getting blocked, so the message they see should indicate what the server thinks their IP address is. This might not be what you are expecting, for example it might be an IPv6 address, not an IPv4 address. Or it might be the address of a proxying server. Can you give me an example of the IP address that is displayed when they see the message

Sorry, you are not allowed to access OWA from this location xxx.xxx.xxx.xxx

hey admin,
sorry but I used a code from another of your pages. utilizing the code above does not throw the error anymore. but we haven’t used OWA from outside in years so I have to get dns and isa ready before I can test out the code externally.
I will followup as soon as I get there.

hey admin,
got a real life test of the code and here is what happened:
(right now, we allow managers to access OWA from home by vpn’ng into lan and then accessing OWA, and we also allow any staff to access OWA when they are at work logged into our lan.)
I took the above code and placed it into startpage.aspx as described above, substituting 10.1 (our internal ip) for 192.168.
I created security group with the all the users allowed access from outside.
(when a staff member vpn’d into the Lan and tried to open OWA, they received the error msg: sorry, you are not allowed… )
(also, when another staff person tried to access OWA during the day while at work logged into our Lan, (from ip 10.1.x.x) they received same error message.
Am I doing something wrong or am I doing something wrong? any suggestions?
ps. thanks in advance for your assistance.
-harold

hey admin,
I am not a programmer nor do I play one on tv, but I am confused. Let me show you what I am doing and tell me where I am messing up.

so…right now, we want about 15 staff members to have the ability to log into our owa from anywhere in the world.(will actually be from somewhere in town, but…) OK, so I created security group with 15 staff and call it “AllowExternalOWA”
then I make a backup copy of “startpage” and then add the following code to “startpage”.

well, that is the problem. when I used phone to try to access owa (turned off wireless and used 3g) I was allowed in. but my work associate, who is not in security group, also was able to log into owa from his phone when he turned of wifi and used his 4g phone. so it appears to not block anybody.
now let me ask you a couple of questions:
1:how does it know to check against the security group.
2:my work associate…he is member of exchange admin group…but not a member of the “AllowOWAExternal” security group…would that be why he can acces owa even tho’ not a member of security group?
-let me say, I truly appreciate all of the time you have taken out of your time to help me with this question/problem. I am sure you are very busy in your daily endeavors, and to take the time to help me is very nice of you. thank you…-Harold
ps. I also apologize for being an idiot when it comes to this stuff…believe me, there are some things I know a lot about…this isn’t one of them!!

Don’t worry Harold – it’s only by solving problems that we really learn anything – myself included. It’s quite likely that there is something I’m not noticing. For one thing, my latest assumption was that no-one could access it, rather than everybody.

The bit that checks group membership is this

if(!oPrincipal.IsInRole(“OWA_External_Clients”))

The exclamation mark ! means ‘Not’, so basically, it is saying ‘if the user is not in the OWA_External_Clients group, then execute the following block of code’, which is meant to display the message, and then stop execution.

One thing you might try (to help troubleshooting) is to insert the line

Response.Write(“User is in group = ” + oPrincipal.IsInRole(“OWA_External_Clients”));

before the above if… line, and see if you can see the word ‘true’ or ‘false’ displayed anywhere. That will tell you if it believes that the user is in the group, or not. You may need to look at the browser’s page source to see it, since randomly inserted bits of text like this are easily hidden by css-positioned DIVs.

Another thing is to make sure (especially if you copy/paste code from a WordPress blog like this) that any quotes in your code are the nice simple ones that are just vertical lines of a few pixels, and not the ‘fancy’ ones made of a blob and a curly tail. WordPress thinks we like the fancy ones, but they break code, since they are not legal quote characters in code.

Hi, I want to disable owa for particular group members where the should not have access owa from outside the network. I have created group “BlockExternalOWA”, owa is now not working inside the network also, i used below command. We are using Exchange 2010.

Just curious if there is a way to do the check on an active directory user rather than a security group? Also, can the rule be applied to multiple users accessing from different IPs? IE user1 can only log in from IP1. User2 can only log in from IP2, etc.

Thanks so much for the post, as this is exactly what our organization is currently trying to accomplish. I seem to have hit a snag however. The code works as expected for IE (regular mode), however in Chrome, Firefox or IE (comparability mode), I get the dreaded “Sorry, you are not allowed to access OWA from this location:10.0.3.174″, even though we specified “10.0″, and as I said it works in IE non-compatibility mode. Any ideas?

Hm. For a start, that ‘.Substring’ should start with a small ‘s’. I don’t know why it worked in the past, but browsers have been getting a bit more strict about that sort of thing as time has passed. I changed the article – see if that change cures your problem, too

Hi, Is there way like that to block Outlook Anywhere for user from external but allow internal in exchange 2013 , because exchange 2013 uses outlook anywhere same for external and internal for outlook.

Probably, although I’m not entirely sure how. You can use IP address restrictions on the virtual directory that outlook anywhere connects to (I think it is called ‘rpc’ in IIS Manager) to only allow access from your internal subnet. You will need to make sure that the IP address restrictions component of IIS has been added first.

If this works, though, your external users will just get an error when they try to use outlook – they won’t, as far as I know, have any other way to get Outlook working. They will need to use Outlook Web App.

Here is the code I tested, with the change made the s in substring, to see if that was the issue> I wont be able to test it again until tomorrow at some point, so I’ll let you know how it goes. Thanks again for your help.

Recent Comments

Try OWA For PDA today.
Give your users all Exchange mailbox features on their mobile devices, no matter what kind of device they are using.
Features: Access to all mailbox folders, Public Folders, send and receive attachments, Out-of-Office. Easy to install server app. Unlimited users for only $175 per server. Demo download available.